rdar://82919366 (jsc_fuz: ASSERTION FAILED: !getDirect(offset) || !JSValue::encode(getDirect(offset))) Right now, PutByVal and PutPrivateName check the value type to determine if a write barrier is needed. For example, putting a primitive is considered to not require a write barrier. This makes sense, except for the case when we might allocate or re-allocate a butterfly in the IC. This does not emit a write barrier, and so the GC might miss the new butterfly. That is somewhat undesirable. This is a temporary conservative fix. If we don't write to the butterfly pointer, then we still don't need a write barrier; this work is captured by https://bugs.webkit.org/show_bug.cgi?id=230377
Created attachment 438408 [details] Patch
Comment on attachment 438408 [details] Patch r=me
Comment on attachment 438408 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=438408&action=review > Source/JavaScriptCore/dfg/DFGStoreBarrierInsertionPhase.cpp:241 > + considerBarrier(child1); // FIXME: there are some cases where we can avoid a store barrier by considering the value Can you put the bug https://bugs.webkit.org/show_bug.cgi?id=230377 in the FIXME comment as well. Same below.
Created attachment 438413 [details] Patch
Committed r282663 (241804@main): <https://commits.webkit.org/241804@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 438413 [details].